CVE-2026-42920 Overview
CVE-2026-42920 is a denial-of-service vulnerability affecting F5 BIG-IP systems. The flaw exists when a Client SSL profile is configured with Allow Dynamic Record Sizing enabled on a UDP virtual server. Undisclosed traffic sent to such a configured virtual server can cause the Traffic Management Microkernel (TMM) to terminate. The TMM is the core data-plane process on BIG-IP, so its termination disrupts traffic handling and triggers a service interruption. The vulnerability is network-reachable, requires no authentication, and no user interaction. F5 notes that software versions which have reached End of Technical Support (EoTS) were not evaluated.
Critical Impact
Remote unauthenticated attackers can terminate the Traffic Management Microkernel on affected BIG-IP UDP virtual servers, causing denial of service against managed application traffic.
Affected Products
- F5 BIG-IP systems with Client SSL profile configured on a UDP virtual server
- BIG-IP configurations with Allow Dynamic Record Sizing enabled in the Client SSL profile
- F5 BIG-IP releases as enumerated in F5 Technical Article K000160901
Discovery Timeline
- 2026-05-13 - CVE-2026-42920 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42920
Vulnerability Analysis
The vulnerability resides in how the Traffic Management Microkernel (TMM) processes traffic destined for a UDP virtual server that has a Client SSL profile bound with the Allow Dynamic Record Sizing option enabled. Undisclosed traffic patterns trigger an error condition in TMM that causes the process to terminate. Because TMM owns the BIG-IP data plane, its termination halts traffic processing for all virtual servers handled by that TMM instance until the process restarts.
F5 classifies the weakness under [CWE-835] (Loop with Unreachable Exit Condition / Infinite Loop), indicating the trigger involves a control-flow condition in TMM that cannot be safely exited. The impact is limited to availability — confidentiality and integrity are not affected per the published CVSS metrics.
Root Cause
The root cause is improper handling of a specific traffic pattern within the Client SSL processing path when Allow Dynamic Record Sizing is engaged on a UDP virtual server. The combination of TLS dynamic record sizing logic and UDP-bound virtual server processing produces an unrecoverable state in TMM, leading to process termination. F5 has not disclosed the precise traffic content that triggers the condition.
Attack Vector
An unauthenticated remote attacker sends crafted UDP traffic to an affected virtual server reachable on the network. No credentials, prior access, or user interaction are required. Successful exploitation terminates TMM and interrupts service for the targeted device. The vulnerability is exploitable only when the prerequisite configuration — a Client SSL profile with Allow Dynamic Record Sizing attached to a UDP virtual server — is present.
No public exploit code or proof-of-concept is available at publication time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to F5 Technical Article K000160901 for vendor technical detail.
Detection Methods for CVE-2026-42920
Indicators of Compromise
- Repeated TMM core dump files or tmm process restart entries in /var/log/ltm and /var/log/tmm.log
- Traffic-handling outages correlated with bursts of UDP traffic to virtual servers using a Client SSL profile
- SNMP traps or high-availability failover events triggered by unexpected TMM termination
Detection Strategies
- Audit BIG-IP configurations for Client SSL profiles with Allow Dynamic Record Sizing enabled and identify which are attached to UDP virtual servers.
- Monitor BIG-IP system logs for tmm process exits, restart messages, and core dumps using existing log aggregation pipelines.
- Correlate UDP traffic spikes against affected virtual servers with TMM restart timestamps to identify exploitation attempts.
Monitoring Recommendations
- Forward BIG-IP ltm, tmm, and daemon logs to a centralized SIEM or data lake for real-time alerting on TMM termination events.
- Track per-virtual-server availability metrics and alert on unexpected drops in active connections following inbound UDP traffic.
- Configure SNMP monitoring for bigipTrafficMgmtTmmRestart and related health traps from F5 devices.
How to Mitigate CVE-2026-42920
Immediate Actions Required
- Identify all BIG-IP UDP virtual servers that have a Client SSL profile attached with Allow Dynamic Record Sizing enabled.
- Apply the fixed software versions published by F5 in K000160901 as soon as they are available for your branch.
- Restrict network access to affected virtual servers using upstream firewalls or access control lists until patching is complete.
Patch Information
F5 has published guidance and fixed versions in the security advisory K000160901. Software versions that have reached End of Technical Support (EoTS) were not evaluated and should be upgraded to a supported release. Verify your running BIG-IP version against the vendor advisory and follow the F5-recommended upgrade path for your deployment.
Workarounds
- Disable Allow Dynamic Record Sizing on the Client SSL profiles attached to UDP virtual servers if the feature is not required.
- Detach the Client SSL profile from UDP virtual servers where TLS over UDP is not strictly necessary.
- Limit source IP ranges that can reach affected UDP virtual servers using ACLs or network firewall rules to reduce exposure.
# Example: identify UDP virtual servers using Client SSL profiles on BIG-IP
tmsh list ltm virtual all-properties | grep -E "ip-protocol udp|profiles"
# Example: disable Allow Dynamic Record Sizing on a Client SSL profile
tmsh modify ltm profile client-ssl <profile_name> allow-dynamic-record-sizing disabled
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
